On Wed, 2019-10-23 at 22:47 -0500, Nayna Jain wrote: > This patchset extends the previous version[1] by adding support for > checking against a blacklist of binary hashes. > > The IMA subsystem supports custom, built-in, arch-specific policies to > define the files to be measured and appraised. These policies are honored > based on priority, where arch-specific policy is the highest and custom > is the lowest. > > PowerNV system uses a Linux-based bootloader to kexec the OS. The > bootloader kernel relies on IMA for signature verification of the OS > kernel before doing the kexec. This patchset adds support for powerpc > arch-specific IMA policies that are conditionally defined based on a > system's secure boot and trusted boot states. The OS secure boot and > trusted boot states are determined via device-tree properties. > > The verification needs to be performed only for binaries that are not > blacklisted. The kernel currently only checks against the blacklist of > keys. However, doing so results in blacklisting all the binaries that > are signed by the same key. In order to prevent just one particular > binary from being loaded, it must be checked against a blacklist of > binary hashes. This patchset also adds support to IMA for checking > against a hash blacklist for files. signed by appended signature. > > [1] http://patchwork.ozlabs.org/cover/1149262/ Thanks, Nayna. Please feel free to add my Signed-off-by tag on patches (2, 4, 5, 7 & 8). thanks, Mimi